< draft-ietf-perc-private-media-framework-10.txt   draft-ietf-perc-private-media-framework-11.txt >
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft Cisco Internet-Draft Cisco
Intended status: Standards Track D. Benham Intended status: Standards Track D. Benham
Expires: November 2, 2019 C. Groves Expires: November 22, 2019 C. Groves
Independent Independent
May 1, 2019 May 21, 2019
A Solution Framework for Private Media in Privacy Enhanced RTP A Solution Framework for Private Media in Privacy Enhanced RTP
Conferencing Conferencing (PERC)
draft-ietf-perc-private-media-framework-10 draft-ietf-perc-private-media-framework-11
Abstract Abstract
This document describes a solution framework for ensuring that media This document describes a solution framework for ensuring that media
confidentiality and integrity are maintained end-to-end within the confidentiality and integrity are maintained end-to-end within the
context of a switched conferencing environment where media context of a switched conferencing environment where media
distributors are not trusted with the end-to-end media encryption distributors are not trusted with the end-to-end media encryption
keys. The solution aims to build upon existing security mechanisms keys. The solution builds upon existing security mechanisms defined
defined for the real-time transport protocol (RTP). for the real-time transport protocol (RTP).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 2, 2019. This Internet-Draft will expire on November 22, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 4
3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 5 3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 5
3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5 3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5
3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 6 3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 6
3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 7
3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7
4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 8
4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8
4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9
4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 10
4.4. HBH Keys and Per-hop Operations . . . . . . . . . . . . . 10 4.4. HBH Keys and Per-hop Operations . . . . . . . . . . . . . 10
4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 11
4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11
4.5.2. Key Exchange during a Conference . . . . . . . . . . 12 4.5.2. Key Exchange during a Conference . . . . . . . . . . 13
5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 13 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 14
5.2. Certificate Fingerprints in Session Signaling . . . . . . 14 5.2. Certificate Fingerprints in Session Signaling . . . . . . 14
5.3. Conferences Identification . . . . . . . . . . . . . . . 14 5.3. Conference Identification . . . . . . . . . . . . . . . . 15
6. PERC Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6. PERC Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.1. Key Inventory and Management Considerations . . . . . . . 15 6.1. Key Inventory and Management Considerations . . . . . . . 15
6.2. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 15 6.2. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 16
6.3. The Key Distributor Transmits the KEK (EKT Key) . . . . . 16 6.3. The Key Distributor Transmits the KEK (EKT Key) . . . . . 17
6.4. Endpoints fabricate an SRTP Master Key . . . . . . . . . 17 6.4. Endpoints fabricate an SRTP Master Key . . . . . . . . . 18
6.5. Summary of Key Types and Entity Possession . . . . . . . 17 6.5. Summary of Key Types and Entity Possession . . . . . . . 18
7. Encrypted Media Packet Format . . . . . . . . . . . . . . . . 18 7. Encrypted Media Packet Format . . . . . . . . . . . . . . . . 19
8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20
8.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 19 8.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 20
8.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 20 8.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 21
8.2.1. Denial of service . . . . . . . . . . . . . . . . . . 20 8.2.1. Denial of service . . . . . . . . . . . . . . . . . . 21
8.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 21 8.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 22
8.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 21 8.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 22
8.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 22 8.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 23
8.2.5. RTCP Attacks . . . . . . . . . . . . . . . . . . . . 22 8.2.5. RTCP Attacks . . . . . . . . . . . . . . . . . . . . 23
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 8.3. Key Distributor Attacks . . . . . . . . . . . . . . . . . 23
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22 8.4. Endpoint Attacks . . . . . . . . . . . . . . . . . . . . 24
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
11.1. Normative References . . . . . . . . . . . . . . . . . . 22 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25
11.2. Informative References . . . . . . . . . . . . . . . . . 23 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
11.1. Normative References . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 11.2. Informative References . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction 1. Introduction
Switched conferencing is an increasingly popular model for multimedia Switched conferencing is an increasingly popular model for multimedia
conferences with multiple participants using a combination of audio, conferences with multiple participants using a combination of audio,
video, text, and other media types. With this model, real-time media video, text, and other media types. With this model, real-time media
flows from conference participants are not mixed, transcoded, flows from conference participants are not mixed, transcoded,
transrated, recomposed, or otherwise manipulated by a Media transrated, recomposed, or otherwise manipulated by a Media
Distributor, as might be the case with a traditional media server or Distributor, as might be the case with a traditional media server or
multipoint control unit (MCU). Instead, media flows transmitted by multipoint control unit (MCU). Instead, media flows transmitted by
skipping to change at page 3, line 29 skipping to change at page 3, line 30
criteria. In some instances, Media Distributors may make limited criteria. In some instances, Media Distributors may make limited
modifications to RTP [RFC3550] headers, for example, but the actual modifications to RTP [RFC3550] headers, for example, but the actual
media content (e.g., voice or video data) is unaltered. media content (e.g., voice or video data) is unaltered.
An advantage of switched conferencing is that Media Distributors can An advantage of switched conferencing is that Media Distributors can
be more easily deployed on general-purpose computing hardware, be more easily deployed on general-purpose computing hardware,
including virtualized environments in private and public clouds. including virtualized environments in private and public clouds.
Virtualized public cloud environments have been viewed as less secure Virtualized public cloud environments have been viewed as less secure
since resources are not always physically controlled by those who use since resources are not always physically controlled by those who use
them and since there are usually several ports open to the public. them and since there are usually several ports open to the public.
This document aims to improve security so as to lower the barrier to This document defines improved security so as to lower the barrier to
taking advantage of those environments. taking advantage of those environments.
This document defines a solution framework wherein media privacy is This document defines a solution framework wherein media privacy is
ensured by making it impossible for a media distributor to gain ensured by making it impossible for a Media Distributor to gain
access to keys needed to decrypt or authenticate the actual media access to keys needed to decrypt or authenticate the actual media
content sent between conference participants. At the same time, the content sent between conference participants. At the same time, the
framework allows for the Media Distributors to modify certain RTP framework allows for the Media Distributors to modify certain RTP
headers; add, remove, encrypt, or decrypt RTP header extensions; and headers; add, remove, encrypt, or decrypt RTP header extensions; and
encrypt and decrypt RTP Control Protocol (RTCP) [RFC3550] packets. encrypt and decrypt RTP Control Protocol (RTCP) [RFC3550] packets.
The framework also prevents replay attacks by authenticating each The framework also prevents replay attacks by authenticating each
packet transmitted between a given participant and the media packet transmitted between a given participant and the Media
distributor using a unique key per endpoint that is independent from Distributor using a unique key per Endpoint that is independent from
the key for media encryption and authentication. the key for media encryption and authentication.
A goal of this document is to define a framework for enhanced privacy This solution framework provides for enhanced privacy in RTP-based
in RTP-based conferencing environments while utilizing existing conferencing environments while utilizing existing security
security procedures defined for RTP with minimal enhancements. procedures defined for RTP with minimal enhancements.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Additionally, this solution framework uses the following terms and Additionally, this solution framework uses the following terms and
acronyms: acronyms:
End-to-End (E2E): Communications from one endpoint through one or End-to-End (E2E): Communications from one Endpoint through one or
more Media Distributors to the endpoint at the other end. more Media Distributors to the Endpoint at the other end.
Hop-by-Hop (HBH): Communications between an endpoint and a Media Hop-by-Hop (HBH): Communications between an Endpoint and a Media
Distributor or between Media Distributors. Distributor or between Media Distributors.
Trusted Endpoint: An RTP flow terminating entity that has possession Trusted Endpoint (or simply Endpoint): An RTP flow terminating entity
of E2E media encryption keys and terminates E2E encryption. This may that has possession of E2E media encryption keys and terminates E2E
include embedded user conferencing equipment or browsers on encryption. This may include embedded user conferencing equipment or
computers, media gateways, MCUs, media recording device and more that browsers on computers, media gateways, MCUs, media recording devices
are in the trusted domain for a given deployment. In the context of and more that are in the trusted domain for a given deployment. In
WebRTC, where control of a session is divided between a JavaScript the context of WebRTC [W3C.CR-webrtc-20180927], where control of a
application and a browser, the browser acts as the Trusted Endpoint session is divided between a JavaScript application and a browser,
for purposes of this framework (just as it acts as the endpoint for the browser acts as the Trusted Endpoint for purposes of this
DTLS-SRTP [RFC5764] in one-to-one calls). framework (just as it acts as the endpoint for DTLS-SRTP [RFC5764] in
one-to-one calls).
Media Distributor (MD): An RTP middlebox that forwards endpoint media Media Distributor (MD): An RTP middlebox that forwards Endpoint media
content (e.g., voice or video data) unaltered, either a subset or all content (e.g., voice or video data) unaltered, either a subset or all
of the flows at any given time, and is never allowed to have access of the flows at any given time, and is never allowed to have access
to E2E encryption keys. It operates according to the Selective to E2E encryption keys. It operates according to the Selective
Forwarding Middlebox RTP topologies [RFC7667] per the constraints Forwarding Middlebox RTP topologies [RFC7667] per the constraints
defined by the PERC system, which includes, but not limited to, defined by the PERC system, which includes, but is not limited to,
having no access to RTP media unencrypted and having limits on what having no access to RTP media plaintext and having limits on what RTP
RTP header field it can alter. The header fields that may be header field it can alter. The header fields that may be modified by
modified by a Media Distributor are enumerated in Section 4 of the a Media Distributor are enumerated in Section 4 of the Double
Double cryptographic transform specification [I-D.ietf-perc-double] cryptographic transform specification [I-D.ietf-perc-double] and
and chosen with respect to utility and the security considerations chosen with respect to utility and the security considerations
outlined in this document. outlined in this document.
Key Distributor: An entity that is a logical function which Key Distributor: An entity that is a logical function which
distributes keying material and related information to trusted distributes keying material and related information to Trusted
endpoints and Media Distributor(s), only that which is appropriate Endpoints and Media Distributor(s), only that which is appropriate
for each. The Key Distributor might be co-resident with another for each. The Key Distributor might be co-resident with another
entity trusted with E2E keying material. entity trusted with E2E keying material.
Conference: Two or more participants communicating via trusted Conference: Two or more participants communicating via Trusted
endpoints to exchange RTP flows through one or more Media Endpoints to exchange RTP flows through one or more Media
Distributor. Distributor.
Call Processing: All trusted endpoints in the conference connect to Call Processing: All Trusted Endpoints in the conference connect to
it by a call processing dialog, such as with the Focus defined in the it by a call processing dialog, such as with the Focus defined in the
Framework for Conferencing with SIP [RFC4353]. Framework for Conferencing with SIP [RFC4353].
Third Party: Any entity that is not an Endpoint, Media Distributor, Third Party: Any entity that is not an Endpoint, Media Distributor,
Key Distributor or Call Processing entity as described in this Key Distributor or Call Processing entity as described in this
document. document.
3. PERC Entities and Trust Model 3. PERC Entities and Trust Model
The following figure depicts the trust relationships, direct or The following figure depicts the trust relationships, direct or
indirect, between entities described in the subsequent sub-sections. indirect, between entities described in the subsequent sub-sections.
Note that these entities may be co-located or further divided into Note that these entities may be co-located or further divided into
multiple, separate physical devices. multiple, separate physical devices.
Please note that some entities classified as untrusted in the simple, Please note that some entities classified as untrusted in the simple,
general deployment scenario used most commonly in this document might general deployment scenario used most commonly in this document might
be considered trusted in other deployments. This document does not be considered trusted in other deployments. This document does not
preclude such scenarios, but keeps the definitions and examples preclude such scenarios, but keeps the definitions and examples
focused by only using the the simple, most general deployment focused by only using the simple, most general deployment scenario.
scenario.
| |
+----------+ | +-----------------+ +----------+ | +-----------------+
| Endpoint | | | Call Processing | | Endpoint | | | Call Processing |
+----------+ | +-----------------+ +----------+ | +-----------------+
| |
| |
+----------------+ | +--------------------+ +----------------+ | +--------------------+
| Key Distributor| | | Media Distributor | | Key Distributor| | | Media Distributor |
+----------------+ | +--------------------+ +----------------+ | +--------------------+
skipping to change at page 6, line 12 skipping to change at page 6, line 18
trustworthiness domains are referred to as untrusted entities from trustworthiness domains are referred to as untrusted entities from
this point forward. this point forward.
It is important to understand that untrusted in this document does It is important to understand that untrusted in this document does
not mean an entity is not expected to function properly. Rather, it not mean an entity is not expected to function properly. Rather, it
means only that the entity does not have access to the E2E media means only that the entity does not have access to the E2E media
encryption keys. encryption keys.
3.1.1. Media Distributor 3.1.1. Media Distributor
A Media Distributor forwards RTP flows between endpoints in the A Media Distributor forwards RTP flows between Endpoints in the
conference while performing per-hop authentication of each RTP conference while performing per-hop authentication of each RTP
packet. The Media Distributor may need access to one or more RTP packet. The Media Distributor may need access to one or more RTP
headers or header extensions, potentially adding or modifying a headers or header extensions, potentially adding or modifying a
certain subset. The Media Distributor also relays secured messaging certain subset. The Media Distributor also relays secured messaging
between the endpoints and the Key Distributor and acquires per-hop between the Endpoints and the Key Distributor and acquires per-hop
key information from the Key Distributor. The actual media content key information from the Key Distributor. The actual media content
must not be decryptable by a Media Distributor, as it is untrusted to must not be decryptable by a Media Distributor, as it is untrusted to
have access to the E2E media encryption keys. The key exchange have access to the E2E media encryption keys. The key exchange
mechanisms specified in this framework prevents the Media Distributor mechanisms specified in this framework prevent the Media Distributor
from gaining access to the E2E media encryption keys. from gaining access to the E2E media encryption keys.
An endpoint's ability to connect to a conference serviced by a Media An Endpoint's ability to connect to a conference serviced by a Media
Distributor does imply that the endpoint is authorized to have access Distributor does imply that the Endpoint is authorized to have access
to the E2E media encryption keys, as the Media Distributor does not to the E2E media encryption keys, as the Media Distributor does not
have the ability to determine whether an endpoint is authorized. have the ability to determine whether an Endpoint is authorized.
Instead, the Key Distributor is responsible for authenticating the Instead, the Key Distributor is responsible for authenticating the
endpoint (e.g., using WebRTC Identity Endpoint (e.g., using WebRTC Identity
[I-D.ietf-rtcweb-security-arch]) and determining its authorization to [I-D.ietf-rtcweb-security-arch]) and determining its authorization to
receive E2E and HBH media encryption keys. receive E2E and HBH media encryption keys.
A Media Distributor must perform its role in properly forwarding A Media Distributor must perform its role in properly forwarding
media packets while taking measures to mitigate the adverse effects media packets while taking measures to mitigate the adverse effects
of denial of service attacks (refer to Section 8) to a level equal to of denial of service attacks (refer to Section 8) to a level equal to
or better than traditional conferencing (i.e. non-PERC) deployments. or better than traditional conferencing (non-PERC) deployments.
A Media Distributor or associated conferencing infrastructure may A Media Distributor or associated conferencing infrastructure may
also initiate or terminate various conference control related also initiate or terminate various conference control related
messaging, which is outside the scope of this framework document. messaging, which is outside the scope of this framework document.
3.1.2. Call Processing 3.1.2. Call Processing
The call processing function is untrusted in the simple, general The call processing function is untrusted in the simple, general
deployment scenario. When a physical subset of the call processing deployment scenario. When a physical subset of the call processing
function resides in facilities outside the trusted domain, it should function resides in facilities outside the trusted domain, it should
not be trusted to have access to E2E key information. not be trusted to have access to E2E key information.
The call processing function may include the processing of call The call processing function may include the processing of call
signaling messages, as well as the signing of those messages. It may signaling messages, as well as the signing of those messages. It may
also authenticate the endpoints for the purpose of call signaling and also authenticate the Endpoints for the purpose of call signaling and
subsequently joining of a conference hosted through one or more Media subsequently joining of a conference hosted through one or more Media
Distributors. Call processing may optionally ensure the privacy of Distributors. Call processing may optionally ensure the privacy of
call signaling messages between itself, the endpoint, and other call signaling messages between itself, the Endpoint, and other
entities. entities.
3.2. Trusted Entities 3.2. Trusted Entities
From the PERC model system perspective, entities considered trusted From the PERC model system perspective, entities considered trusted
(refer to Figure 1) can be in possession of the E2E media encryption (refer to Figure 1) can be in possession of the E2E media encryption
keys for one or more conferences. keys for one or more conferences.
3.2.1. Endpoint 3.2.1. Endpoint
An endpoint is considered trusted and has access to E2E key An Endpoint is considered trusted and has access to E2E key
information. While it is possible for an endpoint to be compromised, information. While it is possible for an Endpoint to be compromised,
subsequently performing in undesired ways, defining endpoint subsequently performing in undesired ways, defining Endpoint
resistance to compromise is outside the scope of this document. resistance to compromise is outside the scope of this document.
Endpoints take measures to mitigate the adverse effects of denial of Endpoints take measures to mitigate the adverse effects of denial of
service attacks (refer to Section 8) from other entities, including service attacks (refer to Section 8) from other entities, including
from other endpoints, to a level equal to or better than traditional from other Endpoints, to a level equal to or better than traditional
conference (i.e., non-PERC) deployments. conference (non-PERC) deployments.
3.2.2. Key Distributor 3.2.2. Key Distributor
The Key Distributor, which may be colocated with an endpoint or exist The Key Distributor, which may be colocated with an Endpoint or exist
standalone, is responsible for providing key information to endpoints standalone, is responsible for providing key information to Endpoints
for both end-to-end (E2E) and hop-by-hop (HBH) security and for for both end-to-end (E2E) and hop-by-hop (HBH) security and for
providing key information to Media Distributors for the hop-by-hop providing key information to Media Distributors for the hop-by-hop
security. security.
Interaction between the Key Distributor and the call processing Interaction between the Key Distributor and the call processing
function is necessary for proper conference-to-endpoint mappings. function is necessary for proper conference-to-Endpoint mappings.
This is described in Section 5.3. This is described in Section 5.3.
The Key Distributor needs to be secured and managed in a way to The Key Distributor needs to be secured and managed in a way to
prevent exploitation by an adversary, as any kind of compromise of prevent exploitation by an adversary, as any kind of compromise of
the Key Distributor puts the security of the conference at risk. the Key Distributor puts the security of the conference at risk.
They Key Distributor needs to know which Endpoints and which Media
Distributors are authorized to participate in the conference. How
the Key Distributor obtains this information is outside the scope of
this document. However, Key Distributors MUST reject DTLS
associations with any unauthorized Endpoint or Media Distributor.
4. Framework for PERC 4. Framework for PERC
The purpose for this framework is to define a means through which The purpose for this framework is to define a means through which
media privacy is ensured when communicating within a conferencing media privacy is ensured when communicating within a conferencing
environment consisting of one or more Media Distributors that only environment consisting of one or more Media Distributors that only
switch, hence not terminate, media. It does not otherwise attempt to switch, hence not terminate, media. It does not otherwise attempt to
hide the fact that a conference between endpoints is taking place. hide the fact that a conference between Endpoints is taking place.
This framework reuses several specified RTP security technologies, This framework reuses several specified RTP security technologies,
including Secure Real-time Transport Protocol (SRTP) [RFC3711], including Secure Real-time Transport Protocol (SRTP) [RFC3711],
Encrypted Key Transport (EKT) [I-D.ietf-perc-srtp-ekt-diet], and Encrypted Key Transport (EKT) [I-D.ietf-perc-srtp-ekt-diet], and
DTLS-SRTP [RFC5764]. DTLS-SRTP.
4.1. End-to-End and Hop-by-Hop Authenticated Encryption 4.1. End-to-End and Hop-by-Hop Authenticated Encryption
This solution framework focuses on the end-to-end privacy and This solution framework focuses on the end-to-end privacy and
integrity of the participant's media by limiting access to only integrity of the participant's media by limiting access to only
trusted entities to the E2E key used for authenticated end-to-end trusted entities to the E2E key used for authenticated end-to-end
encryption. However, this framework does give a Media Distributor encryption. However, this framework does give a Media Distributor
access to RTP headers and all or most header extensions, as well as access to RTP headers fields and header extensions, as well as the
the ability to modify a certain subset of those headers and to add ability to modify a certain subset of the header fields and to add or
header extensions. Packets received by a Media Distributor or an change header extensions. Packets received by a Media Distributor or
endpoint are authenticated hop-by-hop. an Endpoint are authenticated hop-by-hop.
To enable all of the above, this framework defines the use of two To enable all of the above, this framework defines the use of two
security contexts and two associated encryption keys: an "inner" key security contexts and two associated encryption keys: an "inner" key
(an E2E key distinct for each transmitted media flow) for (an E2E key distinct for each transmitted media flow) for
authenticated encryption of RTP media between endpoints and an authenticated encryption of RTP media between Endpoints and an
"outer" key (HBH key) known only to Media Distributor and the "outer" key (HBH key) known only to Media Distributor or the adjacent
adjacent endpoint) for the hop between an endpoint and a Media Endpoint for the hop between an Endpoint and a Media Distributor or
Distributor or between Media Distributor. peer Endpoint. An Endpoint will receive one or more E2E keys from
every other Endpoint in the conference that correspond to the media
flows transmitted by those other Endpoints, while HBH keys are
derived from the DTLS-SRTP association with the Key Distributor. Two
communicating Media Distributors use DTLS-SRTP associations directly
with each other to obtain the HBH keys they will use. See
Section 4.5 for more details on key exchange.
+-------------+ +-------------+ +-------------+ +-------------+
| |################################| | | |################################| |
| Media |------------------------ *----->| Media | | Media |------------------------ *----->| Media |
| Distributor |<----------------------*-|------| Distributor | | Distributor |<----------------------*-|------| Distributor |
| X |#####################*#|#|######| Y | | X |#####################*#|#|######| Y |
| | | | | | | | | | | | | |
+-------------+ | | | +-------------+ +-------------+ | | | +-------------+
# ^ | # HBH Key (XY) -+ | | # ^ | # # ^ | # HBH Key (XY) -+ | | # ^ | #
# | | # E2E Key (B) ---+ | # | | # # | | # E2E Key (B) ---+ | # | | #
skipping to change at page 9, line 5 skipping to change at page 9, line 30
# | *------- E2E Key (B) E2E Key (B) -------* | # # | *------- E2E Key (B) E2E Key (B) -------* | #
# | | # # | | # # | | # # | | #
# | v # # | v # # | v # # | v #
+-------------+ +-------------+ +-------------+ +-------------+
| Endpoint A | | Endpoint B | | Endpoint A | | Endpoint B |
+-------------+ +-------------+ +-------------+ +-------------+
Figure 2: E2E and HBH Keys Used for Authenticated Encryption of SRTP Figure 2: E2E and HBH Keys Used for Authenticated Encryption of SRTP
Packets Packets
The Double transform [I-D.ietf-perc-double] enables endpoints to The Double transform [I-D.ietf-perc-double] enables Endpoints to
perform encryption using both the end-to-end and hop-by-hop contexts perform encryption using both the end-to-end and hop-by-hop contexts
while still preserving the same overall interface as other SRTP while still preserving the same overall interface as other SRTP
transforms. The Media Distributor simply uses the corresponding transforms. The Media Distributor simply uses the corresponding
normal (single) AES-GCM transform, keyed with the appropriate HBH normal (single) AES-GCM transform, keyed with the appropriate HBH
keys. See Section 6.1 for a description of the keys used in PERC and keys. See Section 6.1 for a description of the keys used in PERC and
Section 7 for diagram of how encrypted RTP packets appear on the Section 7 for diagram of how encrypted RTP packets appear on the
wire. wire.
RTCP is only encrypted hop-by-hop, not end-to-end. This framework RTCP is only encrypted hop-by-hop, not end-to-end. This framework
introduces no additional step for RTCP authenticated encryption, so introduces no additional step for RTCP authenticated encryption, so
the procedures needed are specified in [RFC3711] and use the same the procedures needed are specified in [RFC3711] and use the same
outer, hop-by-hop cryptographic context chosen in the Double outer, hop-by-hop cryptographic context chosen in the Double
operation described above. operation described above. For this reason, Endpoints MUST NOT send
confidential information via RTCP.
4.2. E2E Key Confidentiality 4.2. E2E Key Confidentiality
To ensure the confidentiality of E2E keys shared between endpoints, To ensure the confidentiality of E2E keys shared between Endpoints,
endpoints use a common Key Encryption Key (KEK) that is known only by Endpoints use a common Key Encryption Key (KEK) that is known only by
the trusted entities in a conference. That KEK, defined in the EKT the trusted entities in a conference. That KEK, defined in the EKT
[I-D.ietf-perc-srtp-ekt-diet] specification as the EKT Key, is used specification [I-D.ietf-perc-srtp-ekt-diet] as the EKT Key, is used
to subsequently encrypt the SRTP master key used for E2E to subsequently encrypt the SRTP master key used for E2E
authenticated encryption of media sent by a given endpoint. Each authenticated encryption of media sent by a given Endpoint. Each
endpoint in the conference creates an SRTP master key for E2E Endpoint in the conference creates an SRTP master key for E2E
authenticated encryption and keep track of the E2E keys received via authenticated encryption and keep track of the E2E keys received via
the Full EKT Tag for each distinct synchronization source (SSRC) in the Full EKT Tag for each distinct synchronization source (SSRC) in
the conference so that it can properly decrypt received media. An the conference so that it can properly decrypt received media. An
endpoint may change its E2E key at any time and advertise that new Endpoint may change its E2E key at any time and advertise that new
key to the conference as specified in [I-D.ietf-perc-srtp-ekt-diet]. key to the conference as specified in [I-D.ietf-perc-srtp-ekt-diet].
4.3. E2E Keys and Endpoint Operations 4.3. E2E Keys and Endpoint Operations
Any given RTP media flow is identified by its SSRC, and an endpoint Any given RTP media flow is identified by its SSRC, and an Endpoint
might send more than one at a time and change the mix of media flows might send more than one at a time and change the mix of media flows
transmitted during the life of a conference. transmitted during the life of a conference.
Thus, an endpoint MUST maintain a list of SSRCs from received RTP Thus, an Endpoint MUST maintain a list of SSRCs from received RTP
flows and each SSRC's associated E2E key information. An endpoint flows and each SSRC's associated E2E key information. An Endpoint
MUST discard old E2E keys no later than when it leaves the conference MUST discard old E2E keys no later than when it leaves the conference
(see Section 4.5.2). (see Section 4.5.2).
If there is a need to encrypt one or more RTP header extensions end- If the packet is to contain RTP header extensions, it should be noted
to-end, the endpoint derives an encryption key from the E2E SRTP that those are only encrypted HBH per [I-D.ietf-perc-double]. For
master key to encrypt header extensions as per [RFC6904]. The Media this reason, Endpoints MUST NOT transmit confidential information via
Distributor is unable use the information contained in those header RTP header extensions.
extensions encrypted with an E2E key.
4.4. HBH Keys and Per-hop Operations 4.4. HBH Keys and Per-hop Operations
To ensure the integrity of transmitted media packets, it is REQUIRED To ensure the integrity of transmitted media packets, it is REQUIRED
that every packet be authenticated hop-by-hop between an endpoint and that every packet be authenticated hop-by-hop between an Endpoint and
a Media Distributor, as well between Media Distributors. The a Media Distributor, as well between Media Distributors. The
authentication key used for hop-by-hop authentication is derived from authentication key used for hop-by-hop authentication is derived from
an SRTP master key shared only on the respective hop. Each HBH key an SRTP master key shared only on the respective hop. Each HBH key
is distinct per hop and no two hops ever use the same SRTP master is distinct per hop and no two hops ever use the same SRTP master
key. key.
While endpoints also perform HBH authentication, the ability of the While Endpoints also perform HBH authentication, the ability of the
endpoints to reconstruct the original RTP header also enables the Endpoints to reconstruct the original RTP header also enables the
endpoints to authenticate RTP packets E2E. This design yields Endpoints to authenticate RTP packets E2E. This design yields
flexibility to the Media Distributor to change certain RTP header flexibility to the Media Distributor to change certain RTP header
values as packets are forwarded. Which values the Media Distributor values as packets are forwarded. Which values the Media Distributor
can change in the RTP header are defined in [I-D.ietf-perc-double]. can change in the RTP header are defined in [I-D.ietf-perc-double].
RTCP can only be encrypted hop-by-hop, giving the Media Distributor RTCP can only be encrypted hop-by-hop, giving the Media Distributor
the flexibility to forward RTCP content unchanged, transmit compound the flexibility to forward RTCP content unchanged, transmit compound
RTCP packets or to initiate RTCP packets for reporting statistics or RTCP packets or to initiate RTCP packets for reporting statistics or
conveying other information. Performing hop-by-hop authentication conveying other information. Performing hop-by-hop authentication
for all RTP and RTCP packets also helps provide replay protection for all RTP and RTCP packets also helps provide replay protection
(see Section 8). The use of the replay protection mechanism (see Section 8). The use of the replay protection mechanism
specified in Section 3.3.2 of [RFC3711] is REQUIRED at each hop. specified in Section 3.3.2 of [RFC3711] is REQUIRED at each hop.
If there is a need to encrypt one or more RTP header extensions hop- If there is a need to encrypt one or more RTP header extensions hop-
by-hop, the endpoint derives an encryption key from the HBH SRTP by-hop, the Endpoint derives an encryption key from the HBH SRTP
master key to encrypt header extensions as per [RFC6904]. This still master key to encrypt header extensions as per [RFC6904]. This still
gives the Media Distributor visibility into header extensions, such gives the Media Distributor visibility into header extensions, such
as the one used to determine audio level [RFC6464] of conference as the one used to determine audio level [RFC6464] of conference
participants. Note that when RTP header extensions are encrypted, participants. Note that when RTP header extensions are encrypted,
all hops need to decrypt and re-encrypt these encrypted header all hops need to decrypt and re-encrypt these encrypted header
extensions. extensions. Please refer to Sections 5.1 through 5.3 of
[I-D.ietf-perc-double] for procedures to perform RTP header extension
encryption and decryption.
4.5. Key Exchange 4.5. Key Exchange
In brief, the keys used by any given endpoints are determined in the In brief, the keys used by any given Endpoints are determined in the
following way: following way:
o The HBH keys that the endpoint uses to send and receive SRTP media o The HBH keys that the Endpoint uses to send and receive SRTP media
are derived from a DTLS handshake that the endpoint performs with are derived from a DTLS handshake that the Endpoint performs with
the Key Distributor (following normal DTLS-SRTP procedures). the Key Distributor (following normal DTLS-SRTP procedures).
o The E2E key that an endpoint uses to send SRTP media can either be o The E2E key that an Endpoint uses to send SRTP media can either be
set from DTLS or chosen by the endpoint. It is then distributed set from the DTLS-SRTP association with the Key Distributor or
to other endpoints in a Full EKT Tag, encrypted under an EKT Key chosen by the Endpoint. It is then distributed to other Endpoints
provided to the client by the Key Distributor within the DTLS in a Full EKT Tag, encrypted under an EKT Key provided to the
channel they negotiated. client by the Key Distributor within the DTLS channel they
negotiated. Note that an Endpoint MAY create a different E2E key
per media flow, where a media flow is identified by its SSRC
value.
o Each E2E key that an endpoint uses to receive SRTP media is set by o Each E2E key that an Endpoint uses to receive SRTP media is set by
receiving a Full EKT Tag from another endpoint. receiving a Full EKT Tag from another Endpoint.
o The HBH keys used between two Media Distributors is derived from
DTLS-SRTP procedures employed directly between them.
4.5.1. Initial Key Exchange and Key Distributor 4.5.1. Initial Key Exchange and Key Distributor
The Media Distributor maintains a tunnel with the Key Distributor The Media Distributor maintains a tunnel with the Key Distributor
(e.g., using [I-D.ietf-perc-dtls-tunnel]), making it possible for the (e.g., using [I-D.ietf-perc-dtls-tunnel]), making it possible for the
Media Distributor to facilitate the establishment of a secure DTLS Media Distributor to facilitate the establishment of a secure DTLS
association between each endpoint and the Key Distributor as shown association between each Endpoint and the Key Distributor as shown
the following figure. The DTLS association between endpoints and the the following figure. The DTLS association between Endpoints and the
Key Distributor enables each endpoint to generate E2E and HBH keys Key Distributor enables each Endpoint to generate E2E and HBH keys
and receive the Key Encryption Key (KEK) (i.e., EKT Key). At the and receive the KEK. At the same time, the Key Distributor securely
same time, the Key Distributor securely provides the HBH key provides the HBH key information to the Media Distributor. The key
information to the Media Distributor. The key information summarized information summarized here may include the SRTP master key, SRTP
here may include the SRTP master key, SRTP master salt, and the master salt, and the negotiated cryptographic transform.
negotiated cryptographic transform.
+-----------+ +-----------+
KEK info | Key | HBH Key info to KEK info | Key | HBH Key info to
to Endpoints |Distributor| Endpoints & Media Distributor to Endpoints |Distributor| Endpoints & Media Distributor
+-----------+ +-----------+
# ^ ^ # # ^ ^ #
# | | #--- Tunnel # | | #--- Tunnel
# | | # # | | #
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
| Endpoint | DTLS | Media | DTLS | Endpoint | | Endpoint | DTLS | Media | DTLS | Endpoint |
| KEK |<------------|Distributor|------------>| KEK | | KEK |<------------|Distributor|------------>| KEK |
| HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key | | HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key |
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
Figure 3: Exchanging Key Information Between Entities Figure 3: Exchanging Key Information Between Entities
In addition to the secure tunnel between the Media Distributor and In addition to the secure tunnel between the Media Distributor and
the Key Distributor, there are two additional types of security the Key Distributor, there are two additional types of security
associations utilized as a part of the key exchange as discussed in associations utilized as a part of the key exchange as discussed in
the following paragraphs. One is a DTLS-SRTP association between an the following paragraphs. One is a DTLS-SRTP association between an
endpoint and the Key Distributor (with packets passing through the Endpoint and the Key Distributor (with packets passing through the
Media Distributor) and the other is a DTLS-SRTP association between Media Distributor) and the other is a DTLS-SRTP association between
peer Media Distributors. peer Media Distributors.
Endpoints establish a DTLS-SRTP [RFC5764] association over the RTP Endpoints establish a DTLS-SRTP association over the RTP session with
session's media ports for the purposes of key information exchange the Media Distributor and its media ports for the purposes of key
with the Key Distributor. The Media Distributor does not terminate information exchange with the Key Distributor. The Media Distributor
the DTLS signaling, but instead forwards DTLS packets received from does not terminate the DTLS signaling, but instead forwards DTLS
an endpoint on to the Key Distributor (and vice versa) via a tunnel packets received from an Endpoint on to the Key Distributor (and vice
established between Media Distributor and the Key Distributor. versa) via a tunnel established between Media Distributor and the Key
Distributor.
In establishing the DTLS association between endpoints and the Key In establishing the DTLS association between Endpoints and the Key
Distributor, the endpoint MUST act as the DTLS client and the Key Distributor, the Endpoint MUST act as the DTLS client and the Key
Distributor MUST act as the DTLS server. The Key Encryption Key Distributor MUST act as the DTLS server. The KEK is conveyed by the
(KEK) (i.e., EKT Key) is conveyed by the Key Distributor over the Key Distributor over the DTLS association to Endpoints via procedures
DTLS association to endpoints via procedures defined in EKT defined in EKT [I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message.
[I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message.
The Key Distributor MUST NOT establish DTLS-SRTP associations with The Key Distributor MUST NOT establish DTLS-SRTP associations with
endpoints without first authenticating the Media Distributor Endpoints without first authenticating the Media Distributor
tunneling the DTLS-SRTP packets from the endpoint. tunneling the DTLS-SRTP packets from the Endpoint.
Note that following DTLS-SRTP procedures for the Note that following DTLS-SRTP procedures for the
[I-D.ietf-perc-double] cipher, the endpoint generates both E2E and [I-D.ietf-perc-double] cipher, the Endpoint generates both E2E and
HBH encryption keys and salt values. Endpoints MUST either use the HBH encryption keys and salt values. Endpoints MUST either use the
DTLS-SRTP generated E2E key for transmission or generate a fresh E2E DTLS-SRTP generated E2E key for transmission or generate a fresh E2E
key. In either case, the generated SRTP master salt for E2E key. In either case, the generated SRTP master salt for E2E
encryption MUST be replaced with the salt value provided by the Key encryption MUST be replaced with the salt value provided by the Key
Distributor via the EKTKey message. That is because every endpoint Distributor via the EKTKey message. That is because every Endpoint
in the conference uses the same SRTP master salt. The endpoint only in the conference uses the same SRTP master salt. The Endpoint only
transmits the SRTP master key (not the salt) used for E2E encryption transmits the SRTP master key (not the salt) used for E2E encryption
to other endpoints in RTP/RTCP packets per to other Endpoints in RTP/RTCP packets per
[I-D.ietf-perc-srtp-ekt-diet]. [I-D.ietf-perc-srtp-ekt-diet].
Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media Media Distributors use DTLS-SRTP directly with a peer Media
Distributor to establish the HBH key for transmitting RTP and RTCP Distributor to establish the HBH key for transmitting RTP and RTCP
packets to that peer Media Distributor. The Key Distributor does not packets to that peer Media Distributor. The Key Distributor does not
facilitate establishing a HBH key for use between Media Distributors. facilitate establishing a HBH key for use between Media Distributors.
4.5.2. Key Exchange during a Conference 4.5.2. Key Exchange during a Conference
Following the initial key information exchange with the Key Following the initial key information exchange with the Key
Distributor, an endpoint is able to encrypt media end-to-end with an Distributor, an Endpoint is able to encrypt media end-to-end with an
E2E key, sending that E2E key to other endpoints encrypted with the E2E key, sending that E2E key to other Endpoints encrypted with the
KEK, and is able to encrypt and authenticate RTP packets using a HBH KEK, and is able to encrypt and authenticate RTP packets using a HBH
key. The procedures defined do not allow the Media Distributor to key. The procedures defined do not allow the Media Distributor to
gain access to the KEK information, preventing it from gaining access gain access to the KEK information, preventing it from gaining access
to any endpoint's E2E key and subsequently decrypting media. to any Endpoint's E2E key and subsequently decrypting media.
The KEK (i.e., EKT Key) may need to change from time-to-time during The KEK may need to change from time-to-time during the life of a
the life of a conference, such as when a new participant joins or conference, such as when a new participant joins or leaves a
leaves a conference. Dictating if, when or how often a conference is conference. Dictating if, when or how often a conference is to be
to be re-keyed is outside the scope of this document, but this re-keyed is outside the scope of this document, but this framework
framework does accommodate re-keying during the life of a conference. does accommodate re-keying during the life of a conference.
When a Key Distributor decides to re-key a conference, it transmits a When a Key Distributor decides to re-key a conference, it transmits a
new EKTKey message containing the new EKT Key new EKTKey message containing the new EKT Key to each of the
[I-D.ietf-perc-srtp-ekt-diet] to each of the conference participants. conference participants. Upon receipt of the new EKT Key, the
Upon receipt of the new EKT Key, the endpoint MUST create a new SRTP Endpoint MUST create a new SRTP master key and prepare to send that
master key and prepare to send that key inside a Full EKT Field using key inside a Full EKT Field using the new EKT Key as per Section 4.5
the new EKT Key as per Section 4.5 of [I-D.ietf-perc-srtp-ekt-diet]. of [I-D.ietf-perc-srtp-ekt-diet]. In order to allow time for all
In order to allow time for all endpoints in the conference to receive Endpoints in the conference to receive the new keys, the sender
the new keys, the sender should follow the recommendations in should follow the recommendations in Section 4.7 of [I-D.ietf-perc-
Section 4.7 of [I-D.ietf-perc-srtp-ekt-diet]. On receiving a new EKT srtp-ekt-diet]. On receiving a new EKT Key, Endpoints MUST be
Key, endpoints MUST be prepared to decrypt EKT tags using the new prepared to decrypt EKT tags using the new key. The EKT SPI field is
key. The EKT SPI field is used to differentiate between tags used to differentiate between tags encrypted with the old and new
encrypted with the old and new keys. keys.
After re-keying, an endpoint SHOULD retain prior SRTP master keys and After re-keying, an Endpoint SHOULD retain prior SRTP master keys and
EKT Key for a period of time sufficient for the purpose of ensuring EKT Key for a period of time sufficient for the purpose of ensuring
it can decrypt late-arriving or out-of-order packets or packets sent it can decrypt late-arriving or out-of-order packets or packets sent
by other endpoints that used the prior keys for a period of time by other Endpoints that used the prior keys for a period of time
after re-keying began. An endpoint MAY retain old keys until the end after re-keying began. An Endpoint MAY retain old keys until the end
of the conference. of the conference.
Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to
renegotiate HBH keys as desired. If new HBH keys are generated, the renegotiate HBH keys as desired. If new HBH keys are generated, the
new keys are also delivered to the Media Distributor following the new keys are also delivered to the Media Distributor following the
procedures defined in [I-D.ietf-perc-dtls-tunnel] as one possible procedures defined in [I-D.ietf-perc-dtls-tunnel] as one possible
method. method.
Endpoints MAY change the E2E encryption key used at any time. Endpoints MAY change the E2E encryption key used at any time. An
Endpoints MUST generate a new E2E encryption key whenever it receives Endpoint MUST generate a new E2E encryption key whenever it receives
a new EKT Key. After switching to a new key, the new key is conveyed a new EKT Key. After switching to a new key, the new key is conveyed
to other endpoints in the conference in RTP/RTCP packets per to other Endpoints in the conference in RTP/RTCP packets per
[I-D.ietf-perc-srtp-ekt-diet]. [I-D.ietf-perc-srtp-ekt-diet].
5. Authentication 5. Authentication
It is important to this solution framework that the entities can It is important to this solution framework that the entities can
validate the authenticity of other entities, especially the Key validate the authenticity of other entities, especially the Key
Distributor and endpoints. The details of this are outside the scope Distributor and Endpoints. The details of this are outside the scope
of specification but a few possibilities are discussed in the of specification but a few possibilities are discussed in the
following sections. The key requirements are that an endpoint can following sections. The critical requirements are that an Endpoint
verify it is connected to the correct Key Distributor for the can verify it is connected to the correct Key Distributor for the
conference and the Key Distributor can verify the endpoint is the conference and the Key Distributor can verify the Endpoint is the
correct endpoint for the conference. correct Endpoint for the conference.
Two possible approaches to solve this are Identity Assertions and Two possible approaches to solve this are Identity Assertions and
Certificate Fingerprints. Certificate Fingerprints.
5.1. Identity Assertions 5.1. Identity Assertions
WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] is used to WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] is used to
bind the identity of the user of the endpoint to the fingerprint of bind the identity of the user of the Endpoint to the fingerprint of
the DTLS-SRTP certificate used for the call. This certificate is the DTLS-SRTP certificate used for the call. This certificate is
unique for a given call and a conference. This allows the Key unique for a given call and a conference. This allows the Key
Distributor to ensure that only authorized users participate in the Distributor to ensure that only authorized users participate in the
conference. Similarly the Key Distributor can create a WebRTC conference. Similarly the Key Distributor can create a WebRTC
Identity assertion to bind the fingerprint of the unique certificate Identity assertion to bind the fingerprint of the unique certificate
used by the Key Distributor for this conference so that the endpoint used by the Key Distributor for this conference so that the Endpoint
can validate it is talking to the correct Key Distributor. Such a can validate it is talking to the correct Key Distributor. Such a
setup requires an Identity Provider (Idp) trusted by the endpoints setup requires an Identity Provider (Idp) trusted by the Endpoints
and the Key Distributor. and the Key Distributor.
5.2. Certificate Fingerprints in Session Signaling 5.2. Certificate Fingerprints in Session Signaling
Entities managing session signaling are generally assumed to be Entities managing session signaling are generally assumed to be
untrusted in the PERC framework. However, there are some deployment untrusted in the PERC framework. However, there are some deployment
scenarios where parts of the session signaling may be assumed scenarios where parts of the session signaling may be assumed
trustworthy for the purposes of exchanging, in a manner that can be trustworthy for the purposes of exchanging, in a manner that can be
authenticated, the fingerprint of an entity's certificate. authenticated, the fingerprint of an entity's certificate.
As a concrete example, SIP [RFC3261] and Session Description Protocol As a concrete example, SIP [RFC3261] and Session Description Protocol
(SDP) [RFC4566] can be used to convey the fingerprint information per (SDP) [RFC4566] can be used to convey the fingerprint information per
[RFC5763]. An endpoint's SIP User Agent would send an INVITE message [RFC5763]. An Endpoint's SIP User Agent would send an INVITE message
containing SDP for the media session along with the endpoint's containing SDP for the media session along with the Endpoint's
certificate fingerprint, which can be signed using the procedures certificate fingerprint, which can be signed using the procedures
described in [RFC8224] for the benefit of forwarding the message to described in [RFC8224] for the benefit of forwarding the message to
other entities by the Focus [RFC4353]. Other entities can verify the other entities by the Focus [RFC4353]. Other entities can verify the
fingerprints match the certificates found in the DTLS-SRTP fingerprints match the certificates found in the DTLS-SRTP
connections to find the identity of the far end of the DTLS-SRTP connections to find the identity of the far end of the DTLS-SRTP
connection and verify that is the authorized entity. connection and verify that is the authorized entity.
Ultimately, if using session signaling, an endpoint's certificate Ultimately, if using session signaling, an Endpoint's certificate
fingerprint would need to be securely mapped to a user and conveyed fingerprint would need to be securely mapped to a user and conveyed
to the Key Distributor so that it can check that that user is to the Key Distributor so that it can check that that user is
authorized. Similarly, the Key Distributor's certificate fingerprint authorized. Similarly, the Key Distributor's certificate fingerprint
can be conveyed to endpoint in a manner that can be authenticated as can be conveyed to an Endpoint in a manner that can be authenticated
being an authorized Key Distributor for this conference. as being an authorized Key Distributor for this conference.
5.3. Conferences Identification 5.3. Conference Identification
The Key Distributor needs to know what endpoints are being added to a The Key Distributor needs to know what Endpoints are being added to a
given conference. Thus, the Key Distributor and the Media given conference. Thus, the Key Distributor and the Media
Distributor need to know endpoint-to-conference mappings, which is Distributor need to know Endpoint-to-conference mappings, which is
enabled by exchanging a conference-specific unique identifier defined enabled by exchanging a conference-specific unique identifier defined
in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier is in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier is
assigned is outside the scope of this document. assigned is outside the scope of this document.
6. PERC Keys 6. PERC Keys
This section describes the various keys employed by PERC. This section describes the various keys employed by PERC.
6.1. Key Inventory and Management Considerations 6.1. Key Inventory and Management Considerations
skipping to change at page 15, line 18 skipping to change at page 16, line 8
framework, how they are generated, and what purpose they serve. framework, how they are generated, and what purpose they serve.
The keys are described in the order in which they would typically be The keys are described in the order in which they would typically be
acquired. acquired.
The various keys used in PERC are shown in Figure 4 below. The various keys used in PERC are shown in Figure 4 below.
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
| Key | Description | | Key | Description |
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
| KEK | Key shared by all endpoints and used to encrypt |
| (EKT Key) | each endpoint's E2E SRTP master key so receiving |
| | endpoints can decrypt media. |
+-----------+----------------------------------------------------+
| HBH Key | SRTP master key used to encrypt media hop-by-hop. | | HBH Key | SRTP master key used to encrypt media hop-by-hop. |
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
| KEK | Key shared by all Endpoints and used to encrypt |
| (EKT Key) | each Endpoint's E2E SRTP master key so receiving |
| | Endpoints can decrypt media. |
+-----------+----------------------------------------------------+
| E2E Key | SRTP master key used to encrypt media end-to-end. | | E2E Key | SRTP master key used to encrypt media end-to-end. |
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
Figure 4: Key Inventory Figure 4: Key Inventory
While the number of key types is very small, it should be understood While the number of key types is very small, it should be understood
that the actual number of distinct keys can be large as the that the actual number of distinct keys can be large as the
conference grows in size. conference grows in size.
As an example, with 1,000 participants in a conference, there would As an example, with 1,000 participants in a conference, there would
be at least 1,000 distinct SRTP master keys, all of which share the be at least 1,000 distinct SRTP master keys, all of which share the
same master salt. Each of those keys are passed through the KDF same master salt. Each of those keys are passed through the KDF
defined in [RFC3711] to produce the actual encryption and defined in [RFC3711] to produce the actual encryption and
authentication keys. authentication keys.
Complicating key management is the fact that the KEK can change and, Complicating key management is the fact that the KEK can change and,
when it does, the endpoints generate new SRTP master keys that are when it does, the Endpoints generate new SRTP master keys that are
associated with a new EKT SPI. Endpoints have to retain old keys for associated with a new EKT SPI. Endpoints might retain old keys for a
a period of time to ensure they can properly decrypt late-arriving or period of time to ensure they can properly decrypt late-arriving or
out-of-order packets. out-of-order packets, which means the number of keys held during that
period of time might substantially more.
A more detailed explanation of each of the keys follows. A more detailed explanation of each of the keys follows.
6.2. DTLS-SRTP Exchange Yields HBH Keys 6.2. DTLS-SRTP Exchange Yields HBH Keys
The first set of keys acquired are for hop-by-hop encryption and The first set of keys acquired are for hop-by-hop encryption and
decryption. Per the Double [I-D.ietf-perc-double] procedures, the decryption. Per the Double [I-D.ietf-perc-double] procedures, the
endpoint performs DTLS-SRTP exchange with the key distributor and Endpoint performs DTLS-SRTP exchange with the Key Distributor and
receives a key that is, in fact, "double" the size that is needed. receives a key that is, in fact, "double" the size that is needed.
The end-to-end part is the first half of the key, so the Endpoint
The end-to-end part is the first half of the key, so the endpoint
discards that information when generating its own key. The second discards that information when generating its own key. The second
half of the key material is for hop-by-hop operations, so that half half of the key material is for hop-by-hop operations, so that half
of the key (corresponding to the least significant bits) is assigned of the key (corresponding to the least significant bits) is assigned
internally as the HBH key. internally as the HBH key.
The Key Distributor informs the Media Distributor of the HBH key. The Key Distributor informs the Media Distributor of the HBH key.
Specifically, the Key Distributor sends the least significant bits Specifically, the Key Distributor sends the least significant bits
corresponding to the half of the keying material determined through corresponding to the half of the keying material determined through
DTLS-SRTP with the endpoint to the Media Distributor. A salt value DTLS-SRTP with the Endpoint to the Media Distributor. A salt value
is generated along with the HBH key. The salt is also longer than is generated along with the HBH key. The salt is also longer than
needed for hop-by-hop operations, thus only the least significant needed for hop-by-hop operations, thus only the least significant
bits of the required length (i.e., half of the generated salt bits of the required length (half of the generated salt material) are
material) are sent to the Media Distributor. One way to transmit sent to the Media Distributor. One way to transmit this key and salt
this key and salt information is via the tunnel protocol defined in information is via the tunnel protocol defined in
[I-D.ietf-perc-dtls-tunnel]. [I-D.ietf-perc-dtls-tunnel].
No two endpoints have the same HBH key, thus the Media Distributor No two Endpoints have the same HBH key, thus the Media Distributor
MUST keep track each distinct HBH key (and the corresponding salt) MUST keep track each distinct HBH key (and the corresponding salt)
and use it only for the specified hop. and use it only for the specified hop.
The HBH key is also used for hop-by-hop encryption of RTCP. RTCP is The HBH key is also used for hop-by-hop encryption of RTCP. RTCP is
not end-to-end encrypted in PERC. not end-to-end encrypted in PERC.
6.3. The Key Distributor Transmits the KEK (EKT Key) 6.3. The Key Distributor Transmits the KEK (EKT Key)
Via the aforementioned DTLS-SRTP association, the Key Distributor Via the aforementioned DTLS-SRTP association, the Key Distributor
sends the endpoint the KEK (i.e., EKT Key per sends the Endpoint the KEK (EKT Key per
[I-D.ietf-perc-srtp-ekt-diet]). This key is known only to the Key [I-D.ietf-perc-srtp-ekt-diet]). This key is known only to the Key
Distributor and endpoints. This key is the most important to protect Distributor and Endpoints. This key is the most important to protect
since having knowledge of this key (and the SRTP master salt since having knowledge of this key (and the SRTP master salt
transmitted as a part of the same message) allows an entity to transmitted as a part of the same message) allows an entity to
decrypt any media packet in the conference. decrypt any media packet in the conference.
Note that the Key Distributor can send any number of EKT Keys to Note that the Key Distributor can send any number of EKT Keys to
endpoints. This is used to re-key the entire conference. Each key Endpoints. This is used to re-key the entire conference. Each key
is identified by a "Security Parameter Index" (SPI) value. Endpoints is identified by a "Security Parameter Index" (SPI) value. Endpoints
MUST expect that a conference might be re-keyed when a new MUST expect that a conference might be re-keyed when a new
participant joins a conference or when a participant leaves a participant joins a conference or when a participant leaves a
conference in order to protect the confidentiality of the conference in order to protect the confidentiality of the
conversation before and after such events. conversation before and after such events.
The SRTP master salt to be used by the endpoint is transmitted along The SRTP master salt to be used by the Endpoint is transmitted along
with the EKT Key. All endpoints in the conference utilize the same with the EKT Key. All Endpoints in the conference utilize the same
SRTP master salt that corresponds with a given EKT Key. SRTP master salt that corresponds with a given EKT Key.
The Full EKT Tag in media packets is encrypted using a cipher The Full EKT Tag in media packets is encrypted using a cipher
specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit
key). This cipher is different than the cipher used to protect media key). This cipher is different than the cipher used to protect media
and is only used to encrypt the endpoint's SRTP master key (and other and is only used to encrypt the Endpoint's SRTP master key (and other
EKT Tag data as per [I-D.ietf-perc-srtp-ekt-diet]). EKT Tag data as per [I-D.ietf-perc-srtp-ekt-diet]).
The media distributor is not given the KEK (i.e., EKT Key). The Media Distributor is not given the KEK.
6.4. Endpoints fabricate an SRTP Master Key 6.4. Endpoints fabricate an SRTP Master Key
As stated earlier, the E2E key determined via DTLS-SRTP MAY be As stated earlier, the E2E key determined via DTLS-SRTP MAY be
discarded in favor of a locally-generated E2E SRTP master key. While discarded in favor of a locally-generated E2E SRTP master key. While
the DTLS-SRTP-derived SRTP master key can be used initially, the the DTLS-SRTP-derived SRTP master key can be used initially, the
endpoint might choose to change the SRTP master key periodically and Endpoint might choose to change the SRTP master key periodically and
MUST change the SRTP master key as a result of the EKT key changing. MUST change the SRTP master key as a result of the EKT key changing.
A locally-generated SRTP master key is used along with the master A locally-generated SRTP master key is used along with the master
salt transmitted to the endpoint from the key distributor via the salt transmitted to the Endpoint from the Key Distributor via the
EKTKey message to encrypt media end-to-end. EKTKey message to encrypt media end-to-end.
Since the media distributor is not involved in E2E functions, it does Since the Media Distributor is not involved in E2E functions, it does
not create this key nor have access to any endpoint's E2E key. Note, not create this key nor have access to any Endpoint's E2E key. Note,
too, that even the key distributor is unaware of the locally- too, that even the Key Distributor is unaware of the locally-
generated E2E keys used by each endpoint. generated E2E keys used by each Endpoint.
The endpoint transmits its E2E key to other endpoints in the The Endpoint transmits its E2E key to other Endpoints in the
conference by periodically including it in SRTP packets in a Full EKT conference by periodically including it in SRTP packets in a Full EKT
Tag. When placed in the Full EKT Tag, it is encrypted using the EKT Tag. When placed in the Full EKT Tag, it is encrypted using the EKT
Key provided by the key distributor. The master salt is not Key provided by the Key Distributor. The master salt is not
transmitted, though, since all endpoints receive the same master salt transmitted, though, since all Endpoints receive the same master salt
via the EKTKey message from the Key Distributor. The recommended via the EKTKey message from the Key Distributor. The recommended
frequency with which an endpoint transmits its SRTP master key is frequency with which an Endpoint transmits its SRTP master key is
specified in [I-D.ietf-perc-srtp-ekt-diet]. specified in [I-D.ietf-perc-srtp-ekt-diet].
6.5. Summary of Key Types and Entity Possession 6.5. Summary of Key Types and Entity Possession
All endpoints have knowledge of the KEK. All Endpoints have knowledge of the KEK.
Every HBH key is distinct for a given endpoint, thus Endpoint A and Every HBH key is distinct for a given Endpoint, thus Endpoint A and
Endpoint B do not have knowledge of the other's HBH key. Endpoint B do not have knowledge of the other's HBH key. Since HBH
keys are derived from a DTLS-SRTP association, there is at most one
HBH key per Endpoint, (The only exception is where the DTLS-SRTP
association might be rekeyed per Section 5.2 of [RFC5764] and a new
key is created to replace the former key.)
Each endpoint generates its own E2E Key (SRTP master key), thus Each Endpoint generates its own E2E key (SRTP master key), thus there
distinct per endpoint. This key is transmitted (encrypted) via the is a distinct E2E key per endpoint. This key is transmitted
Full EKT Tag to other endpoints. Endpoints that receive media from a (encrypted) via the Full EKT Tag to other Endpoints. Endpoints that
given transmitting endpoint gains knowledge of the transmitter's E2E receive media from a given transmitting Endpoint gain knowledge of
key via the Full EKT Tag. the transmitter's E2E key via the Full EKT Tag.
To summarize the various keys and which entity is in possession of a To summarize the various keys and which entity is in possession of a
given key, refer to Figure 5. given key, refer to Figure 5.
+----------------------+------------+-------+-------+------------+ +----------------------+------------+-------+-------+------------+
| Key / Entity | Endpoint A | MD X | MD Y | Endpoint B | | Key / Entity | Endpoint A | MD X | MD Y | Endpoint B |
+----------------------+------------+-------+-------+------------+ +----------------------+------------+-------+-------+------------+
| KEK | Yes | No | No | Yes | | KEK (EKT Key) | Yes | No | No | Yes |
+----------------------+------------+-------+-------+------------+ +----------------------+------------+-------+-------+------------+
| E2E Key (A and B) | Yes | No | No | Yes | | E2E Key (A and B) | Yes | No | No | Yes |
+----------------------+------------+-------+-------+------------+ +----------------------+------------+-------+-------+------------+
| HBH Key (A<=>MD X) | Yes | Yes | No | No | | HBH Key (A<=>MD X) | Yes | Yes | No | No |
+----------------------+------------+-------+-------+------------+ +----------------------+------------+-------+-------+------------+
| HBH Key (B<=>MD Y) | No | No | Yes | Yes | | HBH Key (B<=>MD Y) | No | No | Yes | Yes |
+----------------------+------------+---------------+------------+ +----------------------+------------+---------------+------------+
| HBH Key (MD X<=>MD Y)| No | Yes | Yes | No | | HBH Key (MD X<=>MD Y)| No | Yes | Yes | No |
+----------------------+------------+---------------+------------+ +----------------------+------------+---------------+------------+
skipping to change at page 19, line 39 skipping to change at page 20, line 39
| | | EKT Tag ... | R || | | | EKT Tag ... | R ||
| | +-+-+-+-+-+-+-+-+-+ | || | | +-+-+-+-+-+-+-+-+-+ | ||
| | +- Neither encrypted nor authenticated; || | | +- Neither encrypted nor authenticated; ||
| | appended after Double is performed || | | appended after Double is performed ||
| | || | | ||
| | || | | ||
| +- E2E Encrypted Portion E2E Authenticated Portion ---+| | +- E2E Encrypted Portion E2E Authenticated Portion ---+|
| | | |
+--- HBH Encrypted Portion HBH Authenticated Portion ----+ +--- HBH Encrypted Portion HBH Authenticated Portion ----+
I = Inner (E2E) encryption / authentication
O = Outer (HBH) encryption / authentication
Figure 6: Encrypted Media Packet Format Figure 6: Encrypted Media Packet Format
8. Security Considerations 8. Security Considerations
8.1. Third Party Attacks 8.1. Third Party Attacks
Third party attacks are attacks attempted by an adversary that is not Third party attacks are attacks attempted by an adversary that is not
supposed to have access to keying material or is otherwise not an supposed to have access to keying material or is otherwise not an
authorized participant in the conference. authorized participant in the conference.
On-path attacks are mitigated by hop-by-hop integrity protection and On-path attacks are mitigated by hop-by-hop integrity protection and
encryption. The integrity protection mitigates packet modification encryption. The integrity protection mitigates packet modification
and encryption makes selective blocking of packets harder, but not and encryption makes selective blocking of packets harder, but not
impossible. impossible.
Off-path attackers could try connecting to different PERC entities Off-path attackers could try connecting to different PERC entities to
and send specifically crafted packets. Endpoints and Media send specifically crafted packets with an aim of forcing the receiver
to forward or render bogus media packets. Endpoints and Media
Distributors mitigate such an attack by performing hop-by-hop Distributors mitigate such an attack by performing hop-by-hop
authentication and discarding packets that fail authentication. authentication and discarding packets that fail authentication.
Another attack vector is a third party claiming to be a Media Another attack vector is a third party claiming to be a Media
Distributor, fooling endpoints into sending packets to the false Distributor, fooling Endpoints into sending packets to the false
Media Distributor instead of the correct one. The deceived sending Media Distributor instead of the correct one. The deceived sending
endpoints could incorrectly assume their packets have been delivered Endpoints could incorrectly assume their packets have been delivered
to endpoints when they in fact have not. While this attack is to Endpoints when they in fact have not. While this attack is
possible, the result is a simple denial of service with no leakage of possible, the result is a simple denial of service with no leakage of
confidential information, since the false Media Distributor would not confidential information, since the false Media Distributor would not
have access to either HBH or E2E encryption keys. have access to either HBH or E2E encryption keys.
Use of mutual DTLS authentication (as required by DTLS-SRTP) ensures
that a false endpoint or false Media Distributor cannot interact with
a legitimate Media Distributor or endpoint. While confidentiality
would not be compromised by failing to implement mutual
authentication, employing it helps mitigate against denial of service
attacks wherein a false entity sends a stream of packets that the
would force a legitimate entity to spend time attempting to decrypt.
A third party could cause a denial-of-service by transmitting many A third party could cause a denial-of-service by transmitting many
bogus or replayed packets toward receiving devices that ultimately bogus or replayed packets toward receiving devices that ultimately
degrade conference or device performance. Therefore, implementations degrade conference or device performance. Therefore, implementations
might wish to devise mechanisms to safeguard against such might wish to devise mechanisms to safeguard against such
illegitimate packets, such as utilizing rate-limiting or performing illegitimate packets, such as utilizing rate-limiting or performing
basic sanity-checks on packets (e.g., looking at packet length or basic sanity-checks on packets (e.g., looking at packet length or
expected sequence number ranges) before performing more expensive expected sequence number ranges) before performing more expensive
decryption operations. decryption operations.
Use of mutual DTLS authentication (as required by DTLS-SRTP) also
helps to prevent a denial-of-service attack by preventing a false
Endpoint or false Media Distributor from successfully participating
as a perceived valid media sender that could otherwise carry out an
on-path attack. When mutual authentication fails, a receiving
Endpoint would know that it could safely discard media packets
received from the Endpoint without inspection.
8.2. Media Distributor Attacks 8.2. Media Distributor Attacks
A malicious or compromised Media Distributor can attack the session A malicious or compromised Media Distributor can attack the session
in a number of possible ways. in a number of possible ways.
8.2.1. Denial of service 8.2.1. Denial of service
A simple form of attack is discarding received packets that should be A simple form of attack is discarding received packets that should be
forwarded. This solution framework does not introduce any mitigation forwarded. This solution framework does not introduce any mitigation
for Media Distributors that fail to forward media packets. for Media Distributors that fail to forward media packets.
Another form of attack is modifying received packets before Another form of attack is modifying received packets before
forwarding. With this solution framework, any modification of the forwarding. With this solution framework, any modification of the
end-to-end authenticated data results in the receiving endpoint end-to-end authenticated data results in the receiving Endpoint
getting an integrity failure when performing authentication on the getting an integrity failure when performing authentication on the
received packet. received packet.
The Media Distributor can also attempt to perform resource The Media Distributor can also attempt to perform resource
consumption attacks on the receiving endpoint. One such attack would consumption attacks on the receiving Endpoint. One such attack would
be to insert random SSRC/CSRC values in any RTP packet with an inband be to insert random SSRC/CSRC values in any RTP packet along with a
key-distribution message attached (i.e., Full EKT Tag). Since such a Full EKT Tag. Since such a message would trigger the receiver to
message would trigger the receiver to form a new cryptographic form a new cryptographic context, the Media Distributor can attempt
context, the Media Distributor can attempt to consume the receiving to consume the receiving Endpoint's resources. While E2E
endpoints resources. While E2E authentication would fail and the authentication would fail and the cryptographic context would be
cryptographic context would be destroyed, the key derivation destroyed, the key derivation operation would nonetheless consume
operation would nonetheless consume some computational resources. some computational resources. While resource consumption attacks
While resource consumption attacks cannot be mitigated entirely, cannot be mitigated entirely, rate-limiting packets might help reduce
rate-limiting packets might help reduce the impact of such attacks. the impact of such attacks.
8.2.2. Replay Attack 8.2.2. Replay Attack
A replay attack is when an already received packet from a previous A replay attack is when an already received packet from a previous
point in the RTP stream is replayed as new packet. This could, for point in the RTP stream is replayed as new packet. This could, for
example, allow a Media Distributor to transmit a sequence of packets example, allow a Media Distributor to transmit a sequence of packets
identified as a user saying "yes", instead of the "no" the user identified as a user saying "yes", instead of the "no" the user
actually said. actually said.
A replay attack is mitigated by the requirement to implement replay A replay attack is mitigated by the requirement to implement replay
protection as described in Section 3.3.2 of [RFC3711]. End-to-end protection as described in Section 3.3.2 of [RFC3711]. End-to-end
replay protection MUST be provided for the duration of the replay protection MUST be provided for the duration of the
conference. conference.
8.2.3. Delayed Playout Attack 8.2.3. Delayed Playout Attack
A delayed playout attack is one where media is received and held by a A delayed playout attack is one where media is received and held by a
media distributor and then forwarded to endpoints at a later point in Media Distributor and then forwarded to Endpoints at a later point in
time. time.
This attack is possible even if E2E replay protection is in place. This attack is possible even if E2E replay protection is in place.
However, due to fact that the Media Distributor is allowed to select Because the Media Distributor is allowed to select a subset of
a subset of streams and not forward the rest to a receiver, such as streams and not forward the rest to a receiver, such as in forwarding
in forwarding only the most active speakers, the receiver has to only the most active speakers, the receiver has to accept gaps in the
accept gaps in the E2E packet sequence. The issue with this is that E2E packet sequence. The issue with this is that a Media Distributor
a Media Distributor can select to not deliver a particular stream for can select to not deliver a particular stream for a while.
a while.
Within the window from last packet forwarded to the receiver and the While the Media Distributor can purposely stop forwarding media
latest received by the Media Distributor, the Media Distributor can flows, it can also select an arbitrary starting point to resume
select an arbitrary starting point when resuming forwarding packets. forwarding those media flow, perhaps forwarding old packets rather
Thus what the media source said can be substantially delayed at the than current packets. As a consequence, what the media source sent
receiver with the receiver believing that it is what was said just can be substantially delayed at the receiver with the receiver
now, and only delayed due to transport delay. believing that newly arriving packets are delayed only by transport
delay when the packets may actually be minutes or hours old.
While this attack cannot be eliminated entirely, its effectiveness While this attack cannot be eliminated entirely, its effectiveness
can be reduced by re-keying the conference periodically since can be reduced by re-keying the conference periodically since
significantly-delayed media encrypted with expired keys would not be significantly-delayed media encrypted with expired keys would not be
decrypted by endpoints. decrypted by Endpoints.
8.2.4. Splicing Attack 8.2.4. Splicing Attack
A splicing attack is an attack where a Media Distributor receiving A splicing attack is an attack where a Media Distributor receiving
multiple media sources splices one media stream into the other. If multiple media sources splices one media stream into the other. If
the Media Distributor were able to change the SSRC without the the Media Distributor were able to change the SSRC without the
receiver having any method for verifying the original source ID, then receiver having any method for verifying the original source ID, then
the Media Distributor could first deliver stream A and then later the Media Distributor could first deliver stream A and then later
forward stream B under the same SSRC as stream A was previously forward stream B under the same SSRC as stream A was previously
using. By including the SSRC in the integrity check for each packet, using. By including the SSRC in the integrity check for each packet,
both HBH and E2E, PERC prevents splicing attacks. both HBH and E2E, PERC prevents splicing attacks.
8.2.5. RTCP Attacks 8.2.5. RTCP Attacks
PERC does not provide end-to-end protection of RTCP messages. This PERC does not provide end-to-end protection of RTCP messages. This
allows a compromised Media Distributor to impact any message that allows a compromised Media Distributor to impact any message that
might be transmitted via RTCP, including media statistics, picture might be transmitted via RTCP, including media statistics, picture
requests, or loss indication. It is also possible for a compromised requests, or loss indication. It is also possible for a compromised
Media Distributor to forge requests, such as requests to the endpoint Media Distributor to forge requests, such as requests to the Endpoint
to send a new picture. Such requests can consume significant to send a new picture. Such requests can consume significant
bandwidth and impair conference performance. bandwidth and impair conference performance.
8.3. Key Distributor Attacks
As stated in Section 3.2.2, the Key Distributor needs to be secured
since exploiting the Key Server can allow an adversary to gain access
to the keying material for one or more conferences. Having access to
that keying material would then allow the adversary to decrypt media
sent from any Endpoint in the conference.
As a first line of defense, the Key Distributor authenticates every
security association, both associations with Endpoints and Media
Distributors. The Key Distributor knows which entities are
authorized to have access to which keys and inspection of
certificates will substantially reduce the risk of providing keys to
an adversary.
Both physical and network access to the Key Distributor should be
severely restricted. This may be more difficult to achieve when the
Key Distributor is embedded within and Endpoint, for example.
Nonetheless, consideration should be given to shielding the Key
Distributor from unauthorized access or any access that is not
strictly necessary for the support of an ongoing conference.
Consideration should be given to whether access to the keying
material will be needed beyond the conclusion of a conference. If
not needed, the Key Distributor's policy should be to destroy the
keying material once the conference concludes or when keying material
changes during the course of the conference. If keying material is
needed beyond the lifetime of the conference, further consideration
should be given to protecting keying material from future exposure.
While it might be obvious, it is worth stating to avoid any doubt
that if an adversary were to record the media packets transmitted
during a conference and then gain unauthorized access to the keying
material left unsecured on the Key Distributor even years later, the
adversary could decrypt the content every packet transmitted during
the conference.
8.4. Endpoint Attacks
A Trusted Endpoint is so named because conference confidentiality
relies heavily on the security and integrity of the Endpoint. If an
adversary successfully exploits a vulnerability in an Endpoint, it
might be possible for the adversary to obtain all of the keying
material used in the conference. With that keying material, an
adversary could decrypt any of the media flows received from any
other Endpoint, either in real-time or at a later point in time
(assuming the adversary makes a copy of the media packets).
Additionally, if an adversary successfully exploits an Endpoint, the
adversary could inject media into the conference. One way an
adversary could do that is by manipulating the RTP or SRTP software
to transmit whatever media the adversary wishes to send. This could
involve re-use of the Endpoint's SSRC, a new SSRC, or the SSRC value
of an existing endpoint. This is made possible since all conference
participants share the same KEK. Only a single SRTP cipher suite
defined provides source authentication properties that allow an
endpoint to cryptographically assert that it sent a particular E2E
protected packet (namely, TESLA [RFC4383]), and its usage is
presently not defined for PERC. The suite defined in PERC only
allows an Endpoint to determine that whoever sent a packet had
received the KEK.
However, attacks on the endpoint are not limited to the PERC-specific
software within the Endpoint. An attacker could inject media or
record media by manipulating the software that sits between the PERC-
enabled application and the hardware microphone of video camera, for
example. Likewise, an attacker could potentially access confidential
media by accessing memory, cache, disk storage, etc. if the endpoint
is no secured.
9. IANA Considerations 9. IANA Considerations
There are no IANA considerations for this document. There are no IANA considerations for this document.
10. Acknowledgments 10. Acknowledgments
The authors would like to thank Mo Zanaty, Christian Oien, and The authors would like to thank Mo Zanaty, Christian Oien, and
Richard Barnes for invaluable input on this document. Also, we would Richard Barnes for invaluable input on this document. Also, we would
like to acknowledge Nermeen Ismail for serving on the initial like to acknowledge Nermeen Ismail for serving on the initial
versions of this document as a co-author. We would also like to versions of this document as a co-author. We would also like to
skipping to change at page 24, line 10 skipping to change at page 26, line 37
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
[RFC4353] Rosenberg, J., "A Framework for Conferencing with the [RFC4353] Rosenberg, J., "A Framework for Conferencing with the
Session Initiation Protocol (SIP)", RFC 4353, Session Initiation Protocol (SIP)", RFC 4353,
DOI 10.17487/RFC4353, February 2006, DOI 10.17487/RFC4353, February 2006,
<https://www.rfc-editor.org/info/rfc4353>. <https://www.rfc-editor.org/info/rfc4353>.
[RFC4383] Baugher, M. and E. Carrara, "The Use of Timed Efficient
Stream Loss-Tolerant Authentication (TESLA) in the Secure
Real-time Transport Protocol (SRTP)", RFC 4383,
DOI 10.17487/RFC4383, February 2006,
<https://www.rfc-editor.org/info/rfc4383>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>. July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <https://www.rfc-editor.org/info/rfc5763>. 2010, <https://www.rfc-editor.org/info/rfc5763>.
skipping to change at page 24, line 42 skipping to change at page 27, line 27
[RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667, [RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667,
DOI 10.17487/RFC7667, November 2015, DOI 10.17487/RFC7667, November 2015,
<https://www.rfc-editor.org/info/rfc7667>. <https://www.rfc-editor.org/info/rfc7667>.
[RFC8224] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, [RFC8224] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt,
"Authenticated Identity Management in the Session "Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 8224, Initiation Protocol (SIP)", RFC 8224,
DOI 10.17487/RFC8224, February 2018, DOI 10.17487/RFC8224, February 2018,
<https://www.rfc-editor.org/info/rfc8224>. <https://www.rfc-editor.org/info/rfc8224>.
[W3C.CR-webrtc-20180927]
Bergkvist, A., Burnett, D., Jennings, C., Narayanan, A.,
Aboba, B., Brandstetter, T., and J. Bruaroey, "WebRTC 1.0:
Real-time Communication Between Browsers", World Wide Web
Consortium CR CR-webrtc-20180927, September 2018,
<https://www.w3.org/TR/2018/CR-webrtc-20180927>.
Authors' Addresses Authors' Addresses
Paul E. Jones Paul E. Jones
Cisco Cisco
7025 Kit Creek Rd. 7025 Kit Creek Rd.
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA USA
Phone: +1 919 476 2048 Phone: +1 919 476 2048
Email: paulej@packetizer.com Email: paulej@packetizer.com
 End of changes. 129 change blocks. 
280 lines changed or deleted 391 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/